ZSNES Total Control

Discussion of hardware and software development for Super NES and Super Famicom.

Moderator: Moderators

Forum rules
  • For making cartridges of your Super NES games, see Reproduction.
Post Reply
tepples
Posts: 22017
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

ZSNES Total Control

Post by tepples » Fri Feb 05, 2016 2:11 pm

In [url=http://forums.nesdev.com/viewtopic.php?p=163936#p163936]this post[/url], adam_smasher wrote:ZSNES also has a known security flaw that allows for arbitrary code execution on the host machine.
So does the Super Game Boy, but that was intentional.

More to the point: So do Super Mario Bros. 3 (bug 4961), Super Mario World (bug 4156), and Pokémon Yellow Version (bug 3894). I wonder whether ZSNES's bug could be combined with the bug in SMW to take control of a PC from a movie file. And is there a guide to making your own exploit package, so I can (say) write a .sfc program with a "Check for updates" feature that detects whether a new version of the game is available and offers to download it?

Revenant
Posts: 442
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: ZSNES Total Control

Post by Revenant » Fri Feb 05, 2016 2:38 pm

The zsnes exploit specifically involves a lack of sanity checks in the SA-1 emulation (for DMA transfers, if I remember right?)

The binaries and source for the PoC in that video are here, and I think one/both of the source packages has an explanation of how it works.

The exploit was fixed in the current development branch of zsnes, which is (or was, at the time) pretty much unusable for general gameplay purposes. I have no idea why they didn't release a patched version of 1.51 that people would actually have a reason to use, especially given how the zsnes release timeline looks.

Near
Founder of higan project
Posts: 1550
Joined: Mon Mar 27, 2006 5:23 pm

Re: ZSNES Total Control

Post by Near » Fri Feb 05, 2016 3:47 pm

> I wonder whether ZSNES's bug could be combined with the bug in SMW to take control of a PC from a movie file.

You definitely could if you used an SA-1 enabling hack on Super Mario World first.

I'm certain there are non-SA1 code execution bugs in ZSNES as well, if one were to try and find them. They found out about the SA-1 one because a ROM hack was causing weird emulator crashes.

> I have no idea why they didn't release a patched version of 1.51 that people would actually have a reason to use, especially given how the zsnes release timeline looks.

They haven't put out a new release since January of 2007. We're a year shy of a decade without a release.

I keep thinking, "will this be the year people stop believing a new version will be released?", and am continually disappointed.

Sik
Posts: 1589
Joined: Thu Aug 12, 2010 3:43 am

Re: ZSNES Total Control

Post by Sik » Fri Feb 05, 2016 5:01 pm

Not SNES, but I suppose Regen has a similar issue? Because it consistently crashes whenever a program tries to access unmapped memory (instead of emulating it properly). I should know, it happens pretty much every time my code crashes, i.e. precisely when I would want to use Regen the most (for its disassembler). Argh!

Post Reply